git-repo-scanner

Git-Repo-Scanner is a small Python script which discovers repositories on GitHub or GitLab. The main purpose of this scanner is to provide a cascading input for the gitleaks. scanner.

Deployment

The git-repo-scanner can be deployed with helm:

helm upgrade --install gitleaks secureCodeBox/git-repo-scanner

Scanner configuration

The scanner options can be divided into two groups for gitlab and github. You can choose the git repository type with the option:

--git-type github
or
--git-type gitlab

GitHub

For type github you can use the following options:

  • --organization: The name of the github organization you want to scan.
  • --url: The url of the api for a github enterprise server. Skip this option for repos on https://github.com.
  • --access-token: Your personal github access token.
  • --ignore-repos: A list of github repository ids you want to ignore

For now only organizations are supported so the option is mandatory. We strongly recommend providing an access token for authentication. If not provided the rate limiting will kick in after about 30 repositories scanned.

GitLab

For type gitlab you can use the following options:

  • --url: The url of the gitlab server.
  • --access-token: Your personal gitlab access token.
  • --group: A specific gitlab group id you want to san, including subgroups.
  • --ignore-groups: A list of gitlab group ids you want to ignore
  • --ignore-repos: A list of gitlab project ids you want to ignore

For gitlab the url and the access token is mandatory. If you don't provide a specific group id all projects on the gitlab server are going to be discovered.

Chart Configuration

KeyTypeDefaultDescription
image.repositorystring"docker.io/securecodebox/scanner-git-repo-scanner"Container Image to run the scan
image.tagstringnildefaults to the charts version
parserImage.repositorystring"docker.io/securecodebox/parser-git-repo-scanner"Parser image repository
parserImage.tagstringdefaults to the charts versionParser image tag
scannerJob.envlist[]Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
scannerJob.extraContainerslist[]Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
scannerJob.extraVolumeMountslist[]Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scannerJob.extraVolumeslist[]Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scannerJob.resourcesobject{}CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
scannerJob.securityContextobject{}Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
scannerJob.ttlSecondsAfterFinishedstringnilDefines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/)

Examples

github-secureCodeBox-scan

This example scans the organization secureCodeBox on github. Remember to add an access token to not encounter rate limiting:

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "scan-github"
spec:
scanType: "git-repo-scanner"
parameters:
- "--git-type"
- "github"
- "--organization"
- "secureCodeBox"
cascades:
matchLabels:
securecodebox.io/intensive: medium
securecodebox.io/invasive: non-invasive

gitlab-group-scan

This example shows how to scan a specific group on a GitLab server. It also excludes certain subgroups and projects contained in this group:

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "scan-company-gitlab-group"
spec:
scanType: "git-repo-scanner"
parameters:
- "--git-type"
- "gitlab"
- "--url"
- "https://gitlab.your-company.com"
- "--access-token"
- "<YOUR-GITLAB-TOKEN>"
- "--group" #Gitlab group id
- "542"
- "--ignore-groups" #A group can contain subgroups
- "723"
- "--ignore-projects" #Gitlab project id
- "423"
- "123"
cascades:
matchLabels:
securecodebox.io/intensive: medium
securecodebox.io/invasive: non-invasive